fix: prevent command injection in example URL opening

Replace platform-specific subprocess calls with webbrowser.open() and
add URL scheme validation to the elicitation example client.

The previous Windows code path used shell=True with subprocess, which
allowed command injection via crafted URLs containing shell
metacharacters (e.g., & as a command separator in cmd.exe).

Changes:
- Remove subprocess/sys imports, use webbrowser.open() for all platforms
- Add URL scheme allowlist (http/https only) to prevent abuse via
  dangerous protocol handlers (file://, smb://, ms-msdt://, etc.)
- Align with the safe pattern already used in the OAuth example client

Author: maxisbey

examples/snippets/clients/url_elicitation_client.py

@@ -24,8 +24,6 @@
 
 import asyncio
 import json
-import subprocess
-import sys
 import webbrowser
 from typing import Any
 from urllib.parse import urlparse
@@ -121,15 +119,17 @@ def extract_domain(url: str) -> str:
         return "unknown"
 
 
+ALLOWED_SCHEMES = {"http", "https"}
+
+
 def open_browser(url: str) -> None:
-    """Open URL in the default browser."""
+    """Open URL in the default browser after validating the scheme."""
+    parsed = urlparse(url)
+    if parsed.scheme.lower() not in ALLOWED_SCHEMES:
+        print(f"Refusing to open URL with unsupported scheme '{parsed.scheme}': {url}")
+        return
     try:
-        if sys.platform == "darwin":
-            subprocess.run(["open", url], check=False)
-        elif sys.platform == "win32":
-            subprocess.run(["start", url], shell=True, check=False)
-        else:
-            webbrowser.open(url)
+        webbrowser.open(url)
     except Exception as e:
         print(f"Failed to open browser: {e}")
         print(f"Please manually open: {url}")